Lifting the legacy: how to upgrade (even the oldest systems)
The NHS is slowly replacing old, vulnerable technology, a new report reveals. And it’s an issue we all face. How do you keep complex systems up-to-date? How do you balance the importance of patching with the risk of disruption? And when does fit-for-purpose become dangerously outdated?
Healthcare organisations are steadily improving their IT security defences and updating legacy hardware, but there are still substantial vulnerabilities within their networks that have the potential to cause devastating damage and additional strain on critical services, a report has found.
The Connected Medical Device Security (CMDS) report, published by Forescout, found that the number of soon-to-be unsupported versions of Windows devices found in its sample of healthcare networks has decreased to 32%. Last year, that number was 71%, the report’s authors suggest this indicates the industry is taking steps in the right direction to meet current cyber-security standards.
The percentage of devices still running entirely unsupported operating systems, however – including Windows XP and Windows Server 2003 – has remained unchanged at 0.4%. While this number is small, these devices tend to be some of the most critical within healthcare organisations, highlighting that the risk legacy operating systems pose still remains.
“WannaCry crippled the NHS back in 2017 and outdated systems played a huge role, so it’s great to see that healthcare organisations are making the necessary improvements to their IT in order to keep their networks safe," explained Rich Orange, regional director, UK&I at Forescout.
"That said, many are still struggling to protect and secure everything that’s connected on the network. It only takes one connected device to fall victim to a bad actor to ultimately take down an entire system – that scenario doesn’t bear thinking about with the current pressure on healthcare services."
The legacy lag
There are lessons all organisations can learn when it comes to eliminating legacy systems. Tim Mackey, principal security strategist at the Synopsys CyRC, told SC Media UK that before thinking about upgrading, it’s important to understand why that system has become obsolete.
“Often a system gains ‘legacy’ status because the manufacturer either stops supporting it, or goes out of business. While there might be every intent to adopt a replacement system, the available alternatives might lack certain features, have prohibitive pricing, or require significant retraining for employees.
“When faced with the option of a system that is working properly but is suddenly unsupported, compared to migrating to a replacement platform, many businesses view the risk posed by the status quo as lower. This is a ‘point in time’ decision that should be subject to ongoing review.
“If the system has gone unpatched for a long period of time, but is still vendor-supported, then the system should be updated, but only if you can test the system in a non-production environment,” said Mackey.
From a cybersecurity perspective, operating a system without access to security updates and security information is risky. “But so too is attempting to patch a critical system where you don’t have the capacity to fully test it,” adds Mackey, “after all, there is a large gap between ‘works for me’ and a ‘securely configured system’ – and vendors have large QA teams to validate their software prior to its release.”
The risk increases the longer you use unsupported software. Steven Furnell, senior member of the IEEE and Professor of Cyber Security at the University of Nottingham, told SC Media UK that a fundamental challenge is recognising that you have legacy systems and knowing where they are: “You need to understand clearly what role these devices play and be aware of when they might transition from current to legacy. And you need to recognise that this isn’t your decision but the provider’s.
“Transitioning from legacy devices, or instigating effective measures to protect them, benefits from time and planning. You don’t want to be caught out and have to do a hurried response on the fly.”
NHS health check
As for the NHS… the CMDS report found that network segmentation within healthcare organisations is on the rise, with a sharp decrease in deployments running only one VLAN, while there is an increase in deployments with more than 25 VLANs.
Yet, computers, printers and even personal devices such as smartphones were often in the same VLAN as healthcare equipment such as patient monitors and X-Ray machines. For every VLAN with at least one healthcare device, 60% of organisations also had non-healthcare devices on the same segment – 90% of VLANs have a mix of healthcare devices and IT devices.
“To avoid an attack that could have the same impact as that of WannaCry, organisations need to have full situational awareness of their network. This, coupled with effective segmentation to stop attackers moving laterally through the network, will help prevent something as important as medical data being exploited or critical public services being taken offline,” said Orange.
Ori Bach, CEO at TrapX Security, told SC Media UK that as in other industries, the attackers in healthcare may be standalone operators or part of larger organised crime syndicates: "The great majority are clearly after valuable healthcare data and economic gain.
“The typical NHS hospital is replete with internet connected systems and medical devices. Attackers know that network-connected medical devices such as patient monitors and CT scanners are easy points of entry.
“The pandemic and rapid establishment of the NHS Nightingale hospitals and influx of new medical devices such as respirators has created a perfect storm for cyber attackers. Since healthcare devices and IT have converged, the NHS must assume that attackers will penetrate their networks regularly. They will get in."